New emerging tools for security automation and response have the capability to create a more enhanced agile threat response to support grid resiliency.
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Utility Networks Agile Response Capabilities - New Context at EnergySec 2019
1. New Context protects data and the movement of data in
highly regulated industries
PREPARED FOR:
Using Security Orchestration in Utility Networks to create
an Agile Threat Response and Enhance Resiliency
EnergySec Security and Compliance Summit 2019
August 19-21, 2019
2. 20+ years security & product experience.
Advocacy on security appears in CNBC, Forbes, and NYT.
Previously CloudPassage, nCircle, and Tripwire.
San Francisco
Andrew Storms, CISSP
VP, Product at New Context
@St0rmz
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
3. https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
The time from the attacker’s
first action in an event chain to
the initial compromise of an
asset is typically measured in
minutes
Breach
00:00:00
56% of breaches took months
or longer to discover
Detection
56%
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
53 % have no idea how well the
tools and software
implemented in corporate
networks are performing.Functional
53%
https://go.attackiq.com/PR-2019-PONEMON-REPORT_LP.html
63% said they have experienced
a security control reporting a
threat blocked when in reality,
the tool failed to stop malicious
behavior.Failure
63%
Speed Measure and Learn
Speed to assess and react is key
Humans may take too long to analyze the situation
Humans don’t scale well against machines
Trust but verify
4. New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Agile Response System System Components Response Types Risks Metrics
TOPICS
6. New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
TERMINOLOGY
• Indicators
Things I’m looking for
Egress traffic on port 666
• Observables
Things I saw
Traffic on port 666 src myIP
dest outsideIP
• Actuator
Component that is responsible for taking action
Block traffic at firewall on
port 666
STOTS
FIT
STIG
TMA
7. AGILE RESPONSE SYSTEM COMPONETS
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Automation
Machine to machine
communications
Interoperate
Common data
structures
Adapt behaviors
Contextual awareness
Secure and trusted
Confidentiality, integrity,
and availability
Measure and improve
Feedback loops
Take action
Actuators
8. AGILE RESPONSE SYSTEM COMPONETS
• Structured Threat Observable Tool Set (STOTS)
• Structured Threat Information Expression (STIX)
• STOTS focus on surgical detection and response
for a specific threat, enabling cyber defenders to
be more agile in defense against cyber
adversaries.
• Detection and monitoring that can be used by
the most advanced and the most basic cyber
personnel to find IOCs for configuration specific
systems.
Common data
structures
Creative Destruction and Agnostic Detection
using a Structured Threat Observable Tool Set
Bryce McClurg | Idaho National Laboratory
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Machine to machine
communications
Contextual awareness
9. AGILE RESPONSE SYSTEM COMPONETS
• Use of STIX and ELK to quickly discover potentially
malicious activity.
• Vendor agnostic means to achieve these goals in
addition to providing a means to share these findings.
• Leveraging off the shelf big data tools
such as Elasticsearch.
• Facilitate rapid querying of complex STIX observables.
STIX and Big Data
Christian O. Hunt | New Context Services
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Common data
structures
Machine to machine
communications
Contextual awareness
10. AGILE RESPONSE SYSTEM COMPONETS
• Threat Monitoring Appliance (TMA)
• Test harness toolset for STIX based observables and
indicators.
• Runs inside OT networks and executes the responses
• Developed by New Context as part of the California
Energy for the 21st Century (CES-21) project.
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Actuators Feedback loops
11. New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
• Address the asset entire
lifecycle with automation
• 3/4ths of the PF curve
happen prior to failure
• Take an automation-first
approach
• Capture metrics from day 1
AGILE RESPONSE AREAS Actuators Feedback loops
12. New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
AGILE RESPONSE EXAMPLES
• Failover
• File integrity monitoring
• Information capture
• Long term heuristics
• Maintenance
• State estimation
• Tuning
• While listing
• ARP correction
• Block IP, protocol, session, application
• Failover
• File integrity monitoring
• Long term heuristics
• Scale up/down
Proactive Reactive
BOOM
Actuators Feedback loops
13. AGILE RESPONSE RISK TYPES
• Risk associated with the threat and
risk associated with the response
• Some response actions pose risk
regardless if it is run by a human or a
machine
• We likely already know how to assess
the risk, but require modifications to
existing tools or processes.
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Actuators Feedback loops
14. AGILE RESPONSE RISK METRICS
• There is an inherent risk
with automation.
• Many types of metrics
should be considered
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Actuators Feedback loops
15. AGILE RESPONSE RISK METRICS
• There is an inherent risk
with automation.
• Many types of metrics
should be considered
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Actuators Feedback loops
16. AGILE RESPONSE RISK METRICS
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Effectiveness
59%
Does the response work?
Trustworthy
90
75
80
Can I trust source?
Does the response work?
Was it tested in our lab?
Was it tested by the vendor or other 3rd party?
What is the source of the info?
Was it digitally signed?
Reputation factor
Actuators Feedback loops
17. AGILE RESPONSE RISK METRICS
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Must I act now?
If I don’t act now, will the opportunity close?
Will the response action be different later?
Can I roll back if this breaks?
Window of Opportunity
00:00:10
Must I act now?
Reversibility
Yes
Can I roll back?
Cost of Operational Degradation
$1M Loss of revenue or decline in company value
Are there fines or loss revenue?
Actuators Feedback loops
18. AGILE RESPONSE RISK METRICS
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Is safety compromised?
Magic smoke?
Affects to health or human welfare?
Are networks affected?
Will this delete data?
Does this expose our network to other risks?
Physical Impact
Is safety compromised?
Digital Impact
95%
Is my network affected?
Actuators Feedback loops
19. AGILE RESPONSE RISK METRICS
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Is reliability compromised?
Diversity of systems?
Can the backup system handle the entire load?
Will I have to report this to NERC?
Will I be fined?
Do we have enough data to prove this is the best option?
Redundancy Impact
N+1
Will it affect reliability?
Regulatory Impact
No
Will I have to report to NERC?
Actuators Feedback loops
20. SUMMARY
• What is an agile response system
• Uses for an Agile response system
• Don’t solely focus on right of boom
• Plenty of opportunity for automation in the asset lifecycle
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
Actuators Feedback loops
Common data
structures
Machine to machine
communications Contextual awareness
21. SUMMARY
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
• Categorize response types
• Use your individual comfort level with automated responses
• Use metrics to determine the risk of the agile response
• Measure effectiveness of system and learn
Actuators Feedback loops
Common data
structures
Machine to machine
communications Contextual awareness
22. 20+ years security & product experience.
Advocacy on security appears in CNBC, Forbes, and NYT.
Previously CloudPassage, nCircle, and Tripwire.
San Francisco
Andrew Storms, CISSP
VP, Product at New Context
@St0rmz
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019
23. REFERENCES
2019 Data Breach Investigations Report
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
California Energy Systems for the 21st Century
https://www.llnl.gov/news/california-utilities-partner-lawrence-livermore-improve-states-energy-
grid
CIS Control 1. Inventory and Control of Hardware Assets
https://www.cisecurity.org/controls/inventory-and-control-of-hardware-assets/
The Cybersecurity Illusion: The Emperor Has No Clothes
https://go.attackiq.com/PR-2019-PONEMON-REPORT_LP.html
Identifying Critical Cyber Assets
https://www.nerc.com/docs/cip/sgwg/Critcal_Cyber_Asset_ID_V1_Final.pdf
Machine Actionable Indicators of Compromise
Doug Rhoades, Southern California Edison
The new Department of Defense (DOD) guide for achieving and assessing RAM
(reliability, availability, and maintainability)
Y. Jackson ; P. Tabbagh ; P. Gibson ; E. Seglie
https://ieeexplore.ieee.org/document/1408329
NIST Special Publication 800-37: Risk Management Frameworks for Information
Systems and Organizations
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf
Sharable & Implementable Threat Intelligence
Rita Foster and Jed Haile, Idaho National Laboratory
John Tran, Southern California Edison
Andrew Storms, New Context
Structured Threat Information Expression
https://oasis-open.github.io/cti-documentation/
Structured Threat Information Graph
https://github.com/idaholab/STIG
New Context Services, Inc.
EnergySec Security & Compliance Summit 2019